CVE-2025-61772 Overview
CVE-2025-61772 is a resource exhaustion vulnerability affecting Rack, a modular Ruby web server interface. The vulnerability exists in Rack::Multipart::Parser, which can accumulate unbounded data when processing multipart requests with malformed headers. Specifically, when a multipart part's header block never terminates with the required blank line (CRLFCRLF), the parser continues appending incoming bytes to memory without any size cap. This allows remote attackers to exhaust server memory and cause a denial of service (DoS) condition.
Critical Impact
Remote attackers can send incomplete multipart headers to trigger high memory consumption, leading to process termination via out-of-memory (OOM) conditions or severe application slowdown. The impact scales with request size limits and server concurrency.
Affected Products
- Rack versions prior to 2.2.19
- Rack versions prior to 3.1.17
- Rack versions prior to 3.2.2
Discovery Timeline
- 2025-10-07 - CVE CVE-2025-61772 published to NVD
- 2025-10-10 - Last updated in NVD database
Technical Details for CVE-2025-61772
Vulnerability Analysis
This vulnerability is classified as CWE-400 (Uncontrolled Resource Consumption). The flaw resides in the multipart request parsing logic within Rack::Multipart::Parser. When processing multipart form data, the parser expects each part's header section to be terminated by a blank line represented as CRLFCRLF (carriage return, line feed sequence repeated). However, when this terminating sequence is never provided, the parser enters a state where it continuously accumulates header data in memory without enforcing any upper bound.
The attack is network-accessible and requires no authentication or user interaction. An attacker can exploit this vulnerability by sending specially crafted HTTP requests with multipart content that contains header blocks deliberately missing the required terminating blank line. As the server processes these malicious requests, memory consumption grows unbounded until the process is terminated by the operating system or the application becomes unresponsive.
Root Cause
The root cause is missing input validation in the multipart header parsing routine. The Rack::Multipart::Parser component does not enforce a maximum size limit on individual part headers during parsing. This allows an attacker to provide an arbitrarily large amount of data that the parser will continue to buffer in memory, waiting indefinitely for a terminating blank line that never arrives.
Attack Vector
The attack vector is network-based, targeting Ruby web applications that accept multipart file uploads or form submissions. An attacker constructs a malicious multipart HTTP request where one or more parts have header sections that never include the terminating CRLFCRLF sequence. When the vulnerable Rack middleware processes this request, it allocates memory for the incoming header data without bounds checking.
The vulnerability can be exploited through standard HTTP POST requests to any endpoint that processes multipart form data. The severity of the attack increases with higher concurrency, as multiple simultaneous malicious requests can accelerate memory exhaustion.
Detection Methods for CVE-2025-61772
Indicators of Compromise
- Rapid memory consumption increases on Ruby application servers processing multipart requests
- Out-of-memory (OOM) process terminations affecting Rack-based applications
- Unusual patterns of incomplete multipart uploads in web server logs
- Extended request processing times for multipart form submissions
Detection Strategies
- Monitor application memory usage for sudden unexplained growth patterns during HTTP request processing
- Implement alerting on process terminations due to OOM conditions on servers running Rack-based applications
- Analyze HTTP request logs for multipart requests that remain in processing state abnormally long
- Deploy network-level inspection to identify malformed multipart requests missing proper header termination
Monitoring Recommendations
- Configure memory usage thresholds and alerts for Ruby application processes
- Enable detailed logging for multipart request parsing in development and staging environments
- Monitor for patterns of incomplete or malformed multipart requests from specific source IPs
- Track request duration metrics to identify requests that may be triggering the vulnerability
How to Mitigate CVE-2025-61772
Immediate Actions Required
- Upgrade Rack to version 2.2.19, 3.1.17, or 3.2.2 depending on your major version
- Review application dependencies to ensure all Rack instances are updated
- Implement request size limits at the reverse proxy or web server layer as an additional defense
- Monitor for signs of exploitation attempts in production environments
Patch Information
The Rack maintainers have released patched versions that cap per-part header size to 64 KiB. The following versions contain the fix:
- Rack 2.2.19 for the 2.x branch
- Rack 3.1.17 for the 3.1.x branch
- Rack 3.2.2 for the 3.2.x branch
Security patches are available via the following commits:
For complete details, refer to the GitHub Security Advisory.
Workarounds
- Restrict maximum request sizes at the proxy or web server layer (e.g., Nginx client_max_body_size)
- Implement rate limiting on endpoints that accept multipart uploads
- Consider deploying a web application firewall (WAF) to filter malformed multipart requests
- Temporarily disable multipart upload functionality if not business-critical until patching is complete
# Nginx configuration example - restrict request body size
# Add to nginx.conf or site configuration
server {
# Limit maximum request body size to 10 megabytes
client_max_body_size 10m;
# Additional protection for upload endpoints
location /upload {
client_max_body_size 50m;
client_body_timeout 60s;
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
